Ok, I don’t know if I could have had a snappier title but as this blog is really for me to write stuff for my own use and reference then I guess its what works for me.
I don’t intend a deep discussion of how encryption works, or any form of cryptography so if thats what you are after you are in the wrong place. What I am writing is my understanding in its simplest form of how Symmetric and Asymmetric encryption works, what they are used for (generally not literally) and the differences between public and private keys.
Symmetric Encryption, also called single key encryption, uses the same key by both the recipient and the sender. It provides no confirmation that it is in its original form and is used to encrypt data between two places. A simple example of symmetric encryption is when you password protect an office document and send that to your colleague, friend, family member and phone them up and tell them what the password is.
There is clearly a difficulty with this because you have to give that key to anyone who needs to read your document, this can lead to it being sent insecurely via email, read out over the phone where it can be overheard – well you get the picture.
Asymmetric encryption, also called dual key encryption or public/private key encryption. One key is private and known only by its owner the other is publicly available.
They are however, like two ends of a magnet, they can only do the opposite of the other. If information is encrypted with a private key it can only be decrypted by its associated public key and if information is encrypted by a public key it can only be decrypted by its associated private key.
Note that the public key is available to all. So whats the point? Why would you encrypt something and then tell everyone how to decrypt it? Well it “proves” that the information came from the source of that private key – if you know who that is and the matching public key decrypts the information successfully you can safely assume the sending source is the owner of the private key.
The most common usage example of both of these is in the web protocol HTTPS. It is a secure version of HTTP and it uses certificates (which include our keys).
When you go to a website that uses HTTPS the following happens:
- Client Computer connects to the web site and says hello. Included in the hello is a random number
- The Server running the website responds and sends the client computer a copy of its certificate and its own random number
- The client computer checks the certificate against lists that indicate if it has been revoked for any reason and if not it extracts the Public Key
- The client computer generates a “temporary secret”, encrypts it with the web servers public key and sends it to the server
- The Web Server decrypts the “temporary secret” using its private key
- Both the client and the Server now have there epics of information, two random numbers and a temporary secret. Using these they regenerate a “Master Secret”
- The client computer sends some calculated information known as a hash, encrypted with this “Master Secret”
- The Server decrypts the information and compares it to the same calculated information it created using its Master Secret. If they are the same the “Master Secret” becomes a private key for symmetric encryption and all future data is encrypted.
This process demonstrates both Symmetric and Asymmetric encryption in practise.